You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For future reader, one way to fix this behaviour is to pass the basic auth by kwargs;
>>> import requests
>>> r = requests.get("http://httpbin.org/status/401", auth=("user", "passwd"))
>>> r.raise_for_status()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: UNAUTHORIZED for url: http://httpbin.org/status/401
Still, seeing that python-requests send a Authorization header, it looks like we could do something for the original leak, as requests knows which parts of the URL is the authentification
>>> r = requests.get("http://user:password@httpbin.org/status/401")
>>> r.raise_for_status()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.7/site-packages/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: UNAUTHORIZED for url: http://user:password@httpbin.org/status/401
>>> r.request.headers
{'User-Agent': 'python-requests/2.21.0', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Authorization': 'Basic dXNlcjpwYXNzd29yZA=='}
Overv
linked a pull request
Oct 2, 2019
that will
close
this issue
Calling
raise_for_status()
output (leaks) the HTTP basic auth password when raising an exception.Expected Result
Actual Result
Here we can see the HTTP password in the resulting exception (
somepassw
in our case)System Information
The text was updated successfully, but these errors were encountered: